The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Thursday, December 29, 2016

Combating the Vulnerability Chaos with OWASP DefectDojo

Four short years ago, I spent 35% of my time actually hacking on products and 65% of my time writing reports and recording metrics. Our team tried a multitude of tools to make our lives easier, but it seemed to only increase our turnover rates. The landscape of security has never been harder to manage with the numerous hoops engineers and penetration testers have to jump through to actually do their job.To alleviate our frustration and lack of options we created DefectDojo, a free and open-source vulnerability management tool.

Home Screen: Here is what you will see when you first login to DefectDojo.
It provides a quick overview of the state of your security program.

DefectDojo is a tool that not only stores findings, but also helps to streamline your entire application security program. It simplifies vulnerability management by offering templating, report generation, metrics, finding deduplication, and baseline self-service tools to allow security engineers and penetration testers to spend their time on their actual expertise, hacking. Comprehensive details on all of DefectDojo’s features can be found on our official docs.

Templating: DefectDojo's templating system saves time on reporting
by allowing users to recycle previous entries on similar issues.

Report Generation: DefectDojo includes a multitude of options to generate custom reports including
filtering for a specific engagement or test-type. For an example report see the link below.

Every code change is checked for quality and security with continuous testing using Travis CI.We do this to ensure that future updates do not break the current build. We also run the same series of tests against any contributed code. Speaking of contributions, we’re happy to take your pull requests, feature requests or donations to keep DefectDojo moving forward. We’ve had several pull requests from new contributors, including a recent one that added file uploads to the REST API.

Continuous Integration: Every code change is run against a series of of tests to ensure stable updates.

It is easy to make Dojo your own. You can install DefectDojo using a single commandon all Linux systems and OS X. There is also an option for Docker. The project is written with Python/Django. If you wanted to add or alter any features or displays to personalize your instance, only three files need to be changed (models.py, views.py, and templates).

DefectDojo is currently used by multiple large enterprises and has core contributors from five different organizations including Rackspace, Rapid7, Pearson, Cengage, and the OWASP Foundation.

DefectDojo works at scale. For example, Pearson uses DefectDojo to manage application security engagements for 2,000+ applications written by 5,000+ developers with operations on every continent.